In fact, I am almost certain that if it is saved in the database its like encoded well.

Plus, not sure what the big deal is about it anyways. Not like someone could do muchwith just your email address. The most I could see is random spam of advertisements whichyou can just mark as spam but I really doubt JGO would do that.

SMF's security in general is pretty slipshod (and pretty much all forum software sucks), but I'm sure Riven has been doing a heroic job in attacking the worst of it. I hope you're not reusing any passwords in general, and especially not on forums. If the communication channel to your email isn't secure, you have way bigger problems than exposing a forum password.

Everything I use has a different password for just such a reason; and I take all of the precautions I know about and/or reasonably can do without actually disconnecting myself That being said I have no control over the communication channel of the e-mail outbound from the forum server. My communication channel to my server is secure, but the rest of the internet I can't fix

I know most forums are lax in security, but that doesn't mean I'm not going to offer some suggestions when I see an easily-fixed problem. (it should be like a 60 second fix: remove that line from the "user-confirmation" email; save; deploy; done)

I'm not like raging upset or anything was just slightly miffed at seeing the password I just typed displayed to me on my screen (imagine you were typing your password in somewhere, and instead of seeing '●●●●●●●●●' you see '123456789' you'd be probably mildly irritated). I'll say, I was as upset at seeing my password as I would be from having dropped a piece of food I was eating. It's just "aww, man... not cool".

Shane, it's not my e-mail address I'm concerned about, it's the password. IF I used that password for other things (which I don't, but a lot of people do) and someone got a hold of it, they could do some nasty things. My e-mail got broken into a few years ago (before I took more precautions) and it was really annoying to deal with all the fallout from it.

I actually thought the exact same thing when I signed up for the forums. There really isn't any reason to email a password to the person who just entered it. If they managed to type the same thing twice in a row, they should be able to remember it just long enough to log in.

This is a internet forum. If you seriously think that any such forum provides better security than plan text passwords in emails you are very naive. Also think about what its for. There is little point having bank level security... not that some banks don't have security this bad too.

Note that hacking/eves dropping on your email is probably harder than just directly hacking the site. It really does not matter much if the passwords are plain text in the database simply because once the site is compromised, they can just install a password scraper on the login page anyway. Well there is some merit i guess, but not much.

I have no special talents. I am only passionately curious.--Albert Einstein

This is a internet forum. If you seriously think that any such forum provides better security than plan text passwords in emails you are very naive. Also think about what its for. There is little point having bank level security... not that some banks don't have security this bad too.

Disagree. Defence in depth. We should all educate users about using different passwords on different sites, and in addition we should all ensure that software we write or maintain doesn't expose passwords.

Quote

Note that hacking/eves dropping on your email is probably harder than just directly hacking the site. It really does not matter much if the passwords are plain text in the database simply because once the site is compromised, they can just install a password scraper on the login page anyway. Well there is some merit i guess, but not much.

There is quite a bit of merit. It protects people who sign up once and never come back; and it protects against compromise of a backup of the database (e.g. a disk which is badly disposed of).

I never claimed or assumed that forums are supposed to provide bank level security.

What I am saying is: there is a very simple change that would (if ever so) slightly improve the security of the site, it'd make (at least some) of your users happy, it would take literally a minute to implement, there are no downsides.

Why some users here are complaining about me offering such a suggestion is confounding... especially in a forum regarding software development (we're all here to learn and improve right? not just troll new users?)

Mods/site-owners, any irritation in my posts here is regarding the replies from people. My original post is just a friendly suggestion to improve the site.

I never claimed or assumed that forums are supposed to provide bank level security.

What I am saying is: there is a very simple change that would (if ever so) slightly improve the security of the site, it'd make (at least some) of your users happy, it would take literally a minute to implement, there are no downsides.

Why some users here are complaining about me offering such a suggestion is confounding... especially in a forum regarding software development (we're all here to learn and improve right? not just troll new users?)

Mods/site-owners, any irritation in my posts here is regarding the replies from people. My original post is just a friendly suggestion to improve the site.

Anyway, that's all I'm going to post here.

Well yea but it kinda seemed like you were to me.

Mostly with how you jumped at just because in the email it sent you it had your email contained in it in text you assumed that it was stored in the database as I text.

They could have your email encoded so that if someone hacked the site and got it, it may look like a jumbled mess of letters. I am sureJGO "if they do encode in any way, im just making an example" have a way to decode it and send it out.

I think when you reset your password, it also sends you a new password in plaintext that lasts indefinitely instead of a one-time reset link. SMF is best secured by unplugging the machine that runs it.

why would anyone on earth save passwords as plaintext - though it happens

when I learned PHP waay back, I learned, well you save password into the database by using a hash, in that case md5 (its long ago)incredible easy to use, and before lulzsec hacked all sony pages, the mere idea that anyone, let alone a big page, would save passwords in plaintext, wouldn't even occur to me

after that I wrote sha512 stuff for passwords, easy to use and all

so I dont know what the big deal is with pages and security

in case of md5 hash, its only 1 line of code D:

and writing your own sha512 isnt very much either - and you just write is once anyway.

If you want really securely hashed passwords, use bcrypt, which isn't crackable in seconds with rainbow tables on a GPU like md5 is. PHP has built-in support for using bcrypt (blowfish) in its crypt() function, using BSD's insane "modular crypt" API. For once I can't blame the API on PHP, but PHP of course manages to do one worse in that if it doesn't support the requested implementation, it falls back to using a terrible built in crypt function instead, making it both insecure and unportable!

Ultimately though, if your password database is compromised, hashing only slows attackers down. You still better invalidate every password.

when I learned PHP waay back, I learned, well you save password into the database by using a hash, in that case md5 (its long ago)incredible easy to use, and before lulzsec hacked all sony pages, the mere idea that anyone, let alone a big page, would save passwords in plaintext, wouldn't even occur to me

This is exactly the false sense of security many developers have. Hashing passwords is not enough, regardless of the algorithm. There are rainbow tables that you feed the hash into, and it (often) simply gives you the original password.

Hi, appreciate more people! Σ ♥ = ¾Learn how to award medals... and work your way up the social rankings!

I know most forums are lax in security, but that doesn't mean I'm not going to offer some suggestions when I see an easily-fixed problem. (it should be like a 60 second fix: remove that line from the "user-confirmation" email; save; deploy; done)

I guess you're not familiar with the SMF sourcecode.

It's a steaming pile of shit. Seriously. Locating that single line of code is probably going to take me 10 minutes.

Going to 'fix' it now, though.

Edit:It's also worth noting that SMF is laughable regarding security. I just stumbled on this code:

It's a steaming pile of shit. Seriously. Locating that single line of code is probably going to take me 10 minutes....It's also worth noting that SMF is laughable regarding security. I just stumbled on this code:...

But keep in mind that this forum is still based on 1.1.15. The current version is 2.0.2. I'm not sure if the 2.x-branch has improved in this respect (haven't looked at the code to protect my eyes), but it might...

It's a steaming pile of shit. Seriously. Locating that single line of code is probably going to take me 10 minutes....It's also worth noting that SMF is laughable regarding security. I just stumbled on this code:...

But keep in mind that this forum is still based on 1.1.15. The current version is 2.0.2. I'm not sure if the 2.x-branch has improved in this respect (haven't looked at the code to protect my eyes), but it might...

1.1.15 is the latest of the 1.x branch and just as secure as 2.x (which means it is horrible).

Hi, appreciate more people! Σ ♥ = ¾Learn how to award medals... and work your way up the social rankings!

when I learned PHP waay back, I learned, well you save password into the database by using a hash, in that case md5 (its long ago)incredible easy to use, and before lulzsec hacked all sony pages, the mere idea that anyone, let alone a big page, would save passwords in plaintext, wouldn't even occur to me

This is exactly the false sense of security many developers have. Hashing passwords is not enough, regardless of the algorithm. There are rainbow tables that you feed the hash into, and it (often) simply gives you the original password.

I'm not saying its secure with sha512 but its an obviously thing to do and better than PLAINTEXTwell of course thats kinda an oxymoron, since there no such thing as "more" or "less" secure, only effective or notbut you know - plaintext passwords just baffle meand opposed to sql injection and stuff not as hard to avoid.

I'm not saying its secure with sha512 but its an obviously thing to do and better than PLAINTEXT

This reasoning is exactly what I mean with 'false sense of security'.

Excuse my french, but hashing a password with sha512 is worth shit. You could just as well have stored the password in plain text. There are more than enough rainbow tables available to 'convert' the hash back to the original value (with a high probability). What you need to do is salting your hash. Only then you make it nearly impossible to 'recover', other than bruteforce.

Hi, appreciate more people! Σ ♥ = ¾Learn how to award medals... and work your way up the social rankings!

I'm not saying its secure with sha512 but its an obviously thing to do and better than PLAINTEXT

This reasoning is exactly what I mean with 'false sense of security'.

Excuse my french, but hashing a password with sha512 is worth shit. You could just as well have stored the password in plain text. There are more than enough rainbow tables available to 'convert' the hash back to the original value (with a high probability). What you need to do is salting your hash. Only then you make it nearly impossible to 'recover', other than bruteforce.

Computing all hashes from all possible unique files of 65 bytes, you will find at least 256 collisions.Computing all hashes from all possible unique files of 66 bytes, you will find at least 65536 collisions.Computing all hashes from all possible unique files of 67 bytes, you will find at least 16777216 collisions.

Hi, appreciate more people! Σ ♥ = ¾Learn how to award medals... and work your way up the social rankings!

java-gaming.org is not responsible for the content posted by its members, including references to external websites,
and other references that may or may not have a relation with our primarily
gaming and game production oriented community.
inquiries and complaints can be sent via email to the info‑account of the
company managing the website of java‑gaming.org